Today's ISN Sponsor: Repent Security Incorporated
---------- Forwarded message ----------
From: 7Pillars Partners <partners@sirius.infonex.com>
To: g2i list <g2i@xmission.com>, IWAR list <iwar@sirius.infonex.com>
Posted at 10:12 p.m. PST Sunday, March 8, 1998
Identifying Net criminals difficult
BY DAVID PLOTNIKOFF
Mercury News Staff Writer
The special Internet offer for a 60-piece socket-wrench set sounded
too good to be true. It was. Three weeks after mailing your check to
an out-of-state P.O. box, no goods have arrived. The Web site you
ordered from is gone. The angry e-mail you sent came back as
undeliverable. Potential loss: $19.95.
Internal copies of your software company's breakthrough
application, due for release next quarter, have been posted to the Net
by a disgruntled ex-employee. Potential loss: $9 million in R&D --
and your job.
What began as an innocent chat-room flirtation isn't so innocent
anymore. The last e-mail message you received began: ``I know
where you live. I know where you work. I know where your kids go
to day care. . . .'' Potential loss: Your life.
There is no way to calculate how many hundreds or thousands of
times each day the Net brings crime into some unsuspecting person's
life. But a report released by the Computer Security Institute found
that nearly two-thirds of the 520 corporations, government offices,
financial institutions and universities queried had experienced
electronic break-ins or other security breaches in the past 12 months.
Although fewer than half the companies
assigned a dollar amount to their losses,
the estimated total from those that did is
staggering: $236 million for the last two
years.
With nearly a quarter-billion dollars
vanishing into the ether, you'd think
someone would call the cops.
But those charged with enforcing the law
in cyberspace say the vast majority of
Net-borne crime never reaches the
criminal justice system. And in the
relatively few instances where a crime is reported, most often the
criminal's true identity is never found.
The San Jose Police Department's elite high-tech crimes unit is every
citizen's first line of defense when trouble comes down the wire in the
capital city of Silicon Valley. But today, four years after the explosion
of the Internet as a mass market, even the top technology-crimes
police unit in the country finds itself with just a handful of Internet
crimes to investigate.
SJPD was first in the nation
In 1986, when the San Jose Police Department became the first local
law enforcement agency in the nation to add a high-tech crimes detail,
fewer than 10,000 computers -- most of them government and
university mainframes -- were connected to the Internet. The word
``Internet'' -- and the concept of crime on it -- would not enter the
public consciousness until 1988, with the release of the first
widespread virus, the ``Morris Worm.'' In the beginning, the unit
consisted of just one sergeant and one officer, and the focus was on
the millions of dollars worth of components disappearing off the
loading docks of the city's high-tech manufacturers.
Today a handful of other metropolitan police departments have similar
units, but San Jose's team still occupies a singular position. ``They are
the leader in the nation,'' says Lee Curtis, Silicon Valley chapter
president for the international High Technology Crime Investigation
Association. ``They're clearly the largest and the best.''
Of the approximately 25 cases the team has open at any given time,
between 50 percent and 70 percent are component thefts and related
fraud. In terms of sheer dollar value, chips are still where the action is.
The team's second largest responsibility is supporting other parts of
the department -- from burglary to homicide. (Whenever a computer
is believed to be involved in a crime, it's the team's job to do the
seizure and the forensic search for evidence).
The Internet slice of the job -- chasing down hackers, stalkers and
assorted scammers -- is too small to even keep statistics on. When
pressed for a guess, Sgt. Don Brister, the unit's supervisor, estimates
that Internet and online-service crimes make up ``probably no more
than 3 or 4 percent'' of the team's workload.
Brister, 44, and the unit's four investigators are all veteran cops, with
lengthy experience in other details ranging from homicide to fraud to
narcotics. But it's hard to think of any prior assignment that could
prepare them to police a territory that has no borders, few maps and
few fixed addresses.
Ask the San Jose team or others in the field what proportion of Net
crime ever appears on the criminal-justice radar and they'll say, in
essence: We are equipped with computers and modems, but no
psychic hotline. ``We're putting out fires,'' says an exasperated Curtis.
``We're reacting to who yells the loudest. We don't go looking for
victims. How much of this problem is getting through to us? I don't
know. It's like asking what percent of America doesn't file tax
returns.''
Of the Net fraud that does get reported, the loss is often too small to
meet the threshold for an investigation. ``It is really not worth the time
going through the criminal justice system spending $10,000 for a
$200 loss,'' says Brister, a 22-year SJPD veteran who transferred to
the high-tech unit a year ago after a stint in fraud. ``Often, with just a
couple hours work on our end, we're able to satisfy the victim. By
making a couple of phone calls and maybe a couple of personal
contacts, we can solve the problem but not have to get the full system
committed.''
Stalking, harassment and other Net crimes that threaten lives take
precedence over property crimes. But once the immediate threat has
passed, victims are often hesitant to press forward with an
investigation. The person making the threats ``is often someone who
the victim has met online and discussed personal things with,'' Brister
says. Many of those victims decide not to pursue the matter because
of fear a spouse or significant other may learn of the digital dalliances.
``I think the fear among victims of being found out sometimes has
been a big mind-changer,'' Brister says.
Likely outcome
In virtually every case where a charge does get filed, the result is
either a guilty plea or a conviction at trial. (Thanks to the
overwhelming amount of evidence gathered for Internet cases, very
few go through to trial.) Brister is proud of the fact that no bad guy
has ever gotten away scot-free from the high-tech unit.
But the challenge usually lies in attaching the right name to the charge.
``Nobody's ever walked -- if we've identified them,'' says investigator
Randy Andrews, a 23-year veteran who's been on high-tech for the
last year and a half. ``The problem is that in about one out of 10 (of
all the cases the unit handles) there's someone identified.'' And the
identification rate for Net crimes may be even lower. ``Usually we
identify (online criminals) only because they made mistakes,''
Andrews says.
Many potential investigations stop cold before they even start because
the investigator knows there's no way to determine the suspect's true
Internet address. Many Internet service providers issue a different
numeric address (called an ``IP'' address) from a pool of such
numbers every time a user signs on. Anonymous remailer services can
automatically strip all identifying data from e-mail and send it on using
a different numeric address. And free Web-based e-mail services
allow users to hide behind disposable, unverifiable e-mail accounts
that are accessible through any machine with a Web browser.
``You can walk into your local library and sign up for an hour's
computer usage and send messages all over the place, and no one's
going to know who really had their fingers on the keyboard,'' says
Keith Lowry, 44, an investigator who worked almost two dozen Net
cases for the team. Lowry left the unit last fall to take a similar
position with the Santa Clara County District Attorney's Office. ``I've
had several recent cases with those (free, Web-based) e-mail
accounts and they make my job very complicated. You may have the
same log-on identity and a different location each time you access the
mail.''
When a suspect is identified and charged, police must be prepared to
prove conclusively that the suspect was the person using the account
at the time of the crime. ``The only way we can answer that is to have
a telephone line corresponding to the computer location,'' Andrews
says. ``The IP address has to be verified as (corresponding) to that
(street) address. . . . We can say, `We watched the house. Nobody
came. Nobody left. That was the only occupant.' ''
Finding the right person
San Jose's investigators are sometimes forced to plow through seven
or eight layers of network identities before the trail finally leads to a
real person. And at each layer, they must work through the Internet
service provider (ISP) that provided the account.
It's hard to gauge the state of relations between the law and the
service providers. While some on both sides may characterize the
exchange of information as cooperative and collegial, others say it is
stiff, guarded and more cumbersome than it need be.
The law itself mandates some of that stiffness. The federal Electronic
Communications Privacy Act requires Internet providers to safeguard
their customers' information. The ISPs can be held liable if material is
released without the proper legal tool. This means every request for
user identities, files or e-mail must be accompanied by a search
warrant or subpoena.
Although ISPs have great latitude to investigate anything within the
bounds of their networks, those investigations rarely make their way
to the police. ``More often than not, we're the ones who initiate the
contact,'' Lowry says. ``I don't recall ever being contacted by an ISP
other than when they're the victim of a crime.''
Andrews' experience is similar: ``Basically, these companies all have
their own investigators, and when their systems are threatened they
become very cooperative. But when it's a privacy issue and the case
involves account holders, each one has a different take on what their
responsibilities are.''
When Net investigations take the San Jose team across state lines to
distant ISPs, the provider may refuse to honor the California search
warrant. In those cases, the team must have the warrant served by a
local counterpart or a federal agent.
Police say America Online -- the largest Internet provider in the land
-- is a prime example of how this jurisdictional disconnect needlessly
delays investigations and hinders the apprehension of criminals. The
Dulles, Va.-based service, with more than 10 million members, says
it's just adhering to the federal privacy law.
America Online will directly honor subpoenas from out-of-state
agencies seeking information on the identity of its customers. But
when the request is for files, such as e-mail, police must get a local
search warrant or court order. That means San Jose's tech team and
every other law enforcement agency outside Virginia must turn to the
FBI or the Loudoun County (Virginia) sheriff for assistance. The latter
will secure a search warrant from the local district court, serve it on
AOL and then relay the information back to San Jose.
One of the largest ISPs -- with connection points in 331 cities in the
United States, Canada and the United Kingdom -- is based almost
within view of San Jose police headquarters. Netcom is a cyberspace
metropolis, more than a half-million members -- and a security force
of six. When trouble comes to Netcom, the in-house investigation is
overseen by John Guinasso, director of corporate integrity and risk
management.
Guinasso says the most common types of cases involve the trading of
child pornography and the theft of credit-card account numbers.
``Back in the old days, you had groups who would (hack their way
onto a network). . . . Now, all they need to do is steal a credit card
number and they're off and running. It's actually easier to do that than
to break a password to get an account somewhere.''
While most Net crimes are actually old crimes -- stalking, harassment,
fraud and theft -- in a new venue, there is at least one criminal act
entirely native to cyberia: ``denial of service'' attacks.
It was this type of hack, which floods servers with bogus queries and
prevents them from establishing connections with legitimate users, that
rocked NASA, the Navy and university computers across the country
recently.
``Nowadays, if some sophisticated cracker wants to cause a
significant problem with a company or ISP, denial of service is one
way to do it,'' says Guinasso, who's been in network security for 12
years. ``It used to be only those crackers who had those capabilities
to develop those tools -- the bad guys had to build their own
weapons. But now those weapons have been made available on the
Internet to any kid who wants them.''
Companies have own forces
Like the ISPs, most of the major tech companies in Silicon Valley
maintain their own internal police forces and do their own
investigations when break-ins or other crimes touch their networks.
Sixty percent of the Silicon Valley membership of the High
Technology Crime Investigation Association comes from the private
sector.
The amount of business transacted over the Net has soared
exponentially in recent years as companies move orders, credit
checks, financial data and other business functions online. Cyber
crime on those networks is up, too. (The Computer Security Institute
survey found crime increased 16 percent in the last year -- and the
dollar value of the losses soared 36 percent.) Still, few corporate
break-ins ever get reported to the SJPD.
There are many reasons for a tech company to avoid involving the
police department: In the case of break-ins to a corporate network
from the Internet, the company may not want to call attention to
security holes for fear of becoming a more prominent target. Often,
they don't want competitors and financial analysts to know they've
been robbed blind.
``We'd get calls all the time,'' Lowry says, ``from corporations who'd
say, `Hey, we've been broken into, either from the outside or the
inside, and we want to go after these people, but we also want to
control how you do it.' ''
Lowry says there are two reasons corporations will fight to keep
investigations in-house: ``Fear of publicity. And fear that someone
who has been successful in stealing intellectual property will end up
sharing that information in court.''
In a more perfect virtual world, one with clearly marked boundaries
and jurisdictions, the San Jose Police Department would get more
credit for the work they do out on the wire. Many of the online cases
they investigate technically belong to other parts of the department,
such as the child-exploitation unit, which takes the lead on child-sex
crimes.
Outside the department, the boundaries are just as blurry: Legally
speaking, a Net crime can occur where the bad guy lives, where the
victim lives or where the financial transaction was made. And while
most of the unit's cases involve victims who are resident in San Jose,
Brister and Lowry can't recall a single Net case that began and ended
entirely within the city limits.
Investigator has doubts
Of all the investigators to chase bad guys through the wires, Lowry
harbors the most doubts about whether law enforcement can fulfill its
mandate on the Net: ``You're assuming we can police cyberspace
and I don't think we can. I don't believe the Internet is to a point
where a government entity can come through and say `I'm going to
control what goes on here.' How do you put a boundary on
something you can't put your hands around?''
Lowry is painfully aware of what the criminal landscape will look like
in years to come, as millions of newcomers take their business and
personal lives to the Net. The fact that most of these woes have yet to
reach the criminal justice system is no comfort to him.
``The scary part,'' Lowry says, ``is we know the storm is coming, but
we don't know exactly what shape it's going to take. The scale is
huge. . . . You're sitting on this beach, knowing it's going to hit, but
you don't know what it is or when it's going to hit.''
If you wish to receive ISN directly, mail majordomo@sekurity.org with "subscribe isn".
ISN is a non-profit list designed to keep Security Professionals aware.
Received on Sat Mar 14 02:40:09 1998